Great. But why are you nuking the c:\winnt\system32\wins dir?Originally posted here by cruzlanman
Here's the fix we're implementing:
Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
deleting the registry keys via WSCRIPT (can supply the VBS by request), then
delete the C:\winnt\system32\wins directory and its contents then
we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.
This will only prevent infections based on the RPC/DCOM hole (ie Blaster/LoveSAN). It doesn't protect you against other virusses (like SoBig). SoBig-F doesn't (mis)use any bug or exploit to infect your system.
That should prevent future infection, prevents recurrence by wacking the executables and registry entries.
I agree with 1 but not 2. Please note that there are virusses that use bugs in the OS. Some of these bugs will yield a higher privilege (LOCALSYSTEM) when exploited and thus cannot be stopped using this type of policy.
All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).
Reply With Quote